This privacy policy explains the nature, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the associated websites, functions and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”). With regard to the terms used, such as “processing” or “controller”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Responsible
AKTIONSBÜNDNIS PATIENTENSICHERHEIT e.V.
Office
Aktionsbündnis Patientensicherheit e.V.
Alte Jakobstraße 81
10179 Berlin
Chair: N. N.
Deputy Chair: Dr Christian Deindl
Secretary General: Joachim Maurice Mielert
Tel: +49 (0)30 3642 816 0
Fax: +49 (0)30 3642 816 11
info@aps-ev.de
www.aps-ev.de
The data protection officer of the data controller is:
Health365 AC GmbH
Frank Nelles c/o Mindspace
Kronenstraße 55-58
10117 Berlin
Germany
datenschutz(at)h365.de
Types of data processed
– Personal details (e.g., names, addresses).
– Contact details (e.g., email addresses, telephone numbers).
– Content data (e.g., text entries, photographs, videos).
– Usage data (e.g., websites visited, content interests, access times).
– Meta/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online service (hereinafter, we refer to these data subjects collectively as “users”).
Purpose of processing
– To provide the online service, its functions and content.
– Responding to contact enquiries and communicating with users.
– Security measures.
– Audience measurement/marketing
Terms used
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); A natural person is regarded as identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal basis
In accordance with Article 13 of the GDPR, we hereby inform you of the legal bases for our data processing activities. Where the legal basis is not specified in the privacy policy, the following applies: The legal basis for obtaining consent is Article 6(1)(a) and Article 7 of the GDPR; the legal basis for processing to fulfil our services, carry out contractual measures and respond to enquiries is Article 6(1)(b) of the GDPR; the legal basis for processing to fulfil our legal obligations is Article 6(1)(c) of the GDPR, and the legal basis for processing to safeguard our legitimate interests is Article 6(1)(f) of the GDPR. In the event that the vital interests of the data subject or another natural person necessitate the processing of personal data, Article 6(1)(d) of the GDPR serves as the legal basis.
Safety measures
In accordance with Article 32 of the GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.
These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, input of, and disclosure of the data, ensuring its availability and its segregation. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, the erasure of data and a response to data breaches. Furthermore, we take the protection of personal data into account right from the development and selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default (Article 25 of the GDPR).
Cooperation with data processors and third parties
Where, in the course of our data processing activities, we disclose data to other individuals or organisations (data processors or third parties), transfer it to them or otherwise grant them access to the data, this is done only on the basis of a legal authorisation (e.g. where the transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract in accordance with Article 6(1)(b) of the GDPR), you have given your consent, a legal obligation requires it, or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
Where we engage third parties to process data on the basis of a so-called ‘data processing agreement’, this is done in accordance with Article 28 of the GDPR.
Transfers to third countries
Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs in connection with the use of third-party services or the disclosure or transfer of data to third parties, this will only take place if it is necessary to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to statutory or contractual permissions, we process data in a third country or have it processed there only if the specific conditions of Articles 44 et seq. of the GDPR are met. This means that processing takes place, for example, on the basis of specific safeguards, such as the officially recognised determination of a level of data protection equivalent to that of the EU (e.g. for the USA through the ‘Privacy Shield’) or compliance with officially recognised specific contractual obligations (so-called ‘standard contractual clauses’).
Rights of data subjects
You have the right to request confirmation as to whether data concerning you is being processed, and to obtain access to such data, as well as further information and a copy of the data, in accordance with Article 15 of the GDPR.
In accordance with Article 16 of the GDPR, you have the right to request that data concerning you be completed or that incorrect data concerning you be rectified.
In accordance with Article 17 of the GDPR, you have the right to request that the relevant data be erased without delay, or alternatively, in accordance with Article 18 of the GDPR, to request a restriction on the processing of the data.
You have the right to request that the data concerning you which you have provided to us be returned to you in accordance with Article 20 of the GDPR and to request that it be transferred to another controller.
You also have the right, pursuant to Article 77 of the GDPR, to lodge a complaint with the competent supervisory authority.
Right of withdrawal
You have the right to withdraw any consent you have given in accordance with Article 7(3) of the GDPR with effect for the future
Right to object
You may object at any time to the future processing of your personal data in accordance with Article 21 of the GDPR. In particular, you may object to the processing of your data for direct marketing purposes.
Cookies and the right to object to direct marketing
“Cookies” are small files that are stored on users’ computers. Various types of information can be stored in cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to a website. Temporary cookies, also known as “session cookies” or “transient cookies,” are cookies that are deleted after a user leaves an online service and closes their browser. Such a cookie can, for example, store the contents of a shopping cart in an online store or a login status. Cookies that remain stored even after the browser is closed are referred to as “permanent” or “persistent.” For example, the login status can be stored so that users can access it again after several days. Similarly, such a cookie may store the user’s interests, which are used for audience measurement or marketing purposes. “Third-party cookies” are cookies provided by providers other than the controller operating the online service (otherwise, if only the controller’s cookies are used, they are referred to as “first-party cookies”).
We may use temporary and permanent cookies and provide information about this in our Privacy Policy.
If users do not wish to have cookies stored on their computer, they are asked to disable the corresponding option in their browser’s settings. Stored cookies can be deleted in the browser’s settings. Disabling cookies may result in limited functionality of this website.
A general objection to the use of cookies for online marketing purposes can be made for a wide range of services, particularly in the case of tracking, via the U.S. website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/ explained. Furthermore, you can prevent cookies from being stored by disabling them in your browser settings. Please note that this may prevent you from using all features of this website.
Deletion of Data
The data we process will be deleted or its processing restricted in accordance with Articles 17 and 18 of the GDPR. Unless expressly stated in this Privacy Policy, the data we store will be deleted as soon as it is no longer necessary for the purpose for which it was collected and there are no legal retention obligations preventing its deletion. If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
In accordance with legal requirements in Germany, data is retained for a period of 10 years in particular, pursuant to Sections 147(1) AO, 257(1) nos. 1 and 4, (4) HGB (books, records, management reports, accounting documents, trading books, documents relevant for taxation, etc.) and 6 years pursuant to § 257(1) nos. 2 and 3, (4) HGB (business correspondence).
In accordance with Austrian legal requirements, records must be retained for 7 years pursuant to Section 132(1) of the Federal Tax Code (BAO) (accounting records, receipts/invoices, accounts, supporting documents, business papers, statements of income and expenses, etc.), for 22 years in connection with real estate, and for 10 years for documents related to electronically supplied services, telecommunications, radio, and television services provided to non-business customers in EU member states for which the Mini One-Stop Shop (MOSS) is utilized.
Provision of our services in accordance with our bylaws and business practices
We process the data of our members, supporters, prospective clients, customers, or other individuals in accordance with Article 6(1)(b) of the GDPR, provided that we offer them contractual services or act within the scope of an existing business relationship—for example, with members—or are ourselves recipients of services and contributions. Furthermore, we process the data of data subjects pursuant to Article 6(1)(f) of the GDPR based on our legitimate interests, e.g., in connection with administrative tasks or public relations.
The data processed in this context, as well as the nature, scope, purpose, and necessity of its processing, are determined by the underlying contractual relationship. This generally includes personal records and master data (e.g., name, address, etc.), as well as contact details (e.g., email address, phone number, etc.), contract details (e.g., services used, content and information provided, names of contact persons), and, if we offer paid services or products, payment details (e.g., bank account information, payment history, etc.).
We delete data that is no longer necessary for the fulfillment of our statutory and business purposes. This is determined based on the respective tasks and contractual relationships. In the case of business-related processing, we retain the data for as long as it may be relevant for business transactions, as well as with regard to any warranty or liability obligations. The necessity of retaining the data is reviewed every three years; otherwise, the statutory retention obligations apply.
Contact Us
When you contact us (e.g., via the contact form, email, phone, or social media), your information is processed in accordance with Article 6(1)(b) of the GDPR to handle and process your inquiry. Your information may be stored in a customer relationship management system (“CRM system”) or a similar inquiry management system.
We delete the inquiries once they are no longer necessary. We review the necessity of retention every two years; furthermore, statutory archiving obligations apply.
Google Tag Manager
Google Tag Manager is a solution that allows us to manage so-called website tags via a user interface (and thus, for example, integrate Google Analytics and other Google marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any of the users’ personal data. With regard to the processing of users’ personal data, please refer to the following information regarding Google services.
Terms of Use: https://www.google.com/intl/de/tagmanager/use-policy.html.
Google Analytics
We use Google Analytics, a web analytics service provided by Google LLC (“Google”), based on our legitimate interests (i.e., our interest in analyzing, optimizing, and ensuring the economic viability of our online offering within the meaning of Article 6(1)(f) of the GDPR). Google uses cookies. The information generated by the cookie regarding users’ use of the online service is generally transmitted to a Google server in the United States and stored there.
Google is certified under the Privacy Shield Framework and thereby guarantees compliance with European data protection law.
(https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to evaluate how users use our website, to compile reports on activity within the website, and to provide us with other services related to the use of the website and internet usage. In doing so, pseudonymous user profiles may be created from the processed data.
We use Google Analytics only with IP anonymization enabled. This means that the user’s IP address is truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the United States and truncated there.
The IP address transmitted by the user’s browser is not merged with other data held by Google. Users can prevent the storage of cookies by adjusting their browser software settings accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online service by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link:
http://tools.google.com/dlpage/gaoptout?hl=de.
For more information about Google’s use of data, as well as options for adjusting settings and opting out, please refer to Google’s Privacy Policy (https://policies.google.com/technologies/ads) as well as in the settings for the display of ads by Google (https://adssettings.google.com/authenticated).
Users’ personal data is deleted or anonymized after 26 months.
Google Universal Analytics
We use Google Analytics in its “Universal Analytics” configuration. “Universal Analytics” refers to a Google Analytics feature in which user analysis is based on a pseudonymous user ID, thereby creating a pseudonymous user profile that combines information from the use of various devices (so-called “cross-device tracking”).
Integration of third-party services and content
Within our online offering, we rely on our legitimate interests (i.e., our interest in the analysis, optimization, and economic operation of our online offering within the meaning of Article 6(1)(f) of the GDPR) content or service offerings from third-party providers in order to integrate their content and services, such as videos or fonts (hereinafter collectively referred to as “content”).
This always requires that the third-party providers of this content collect the users’ IP addresses, as they would not be able to send the content to the users’ browsers without the IP address. The IP address is therefore necessary for the display of this content. We endeavor to use only such content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. These “pixel tags” allow information such as visitor traffic on the pages of this website to be analyzed. The pseudonymous information may also be stored in cookies on the user’s device and may include, among other things, technical information about the browser and operating system, referring websites, visit duration, and other details regarding the use of our online service, as well as being linked to such information from other sources.
Youtube
We embed videos from the “YouTube” platform provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy:
https://www.google.com/policies/privacy/,
Opt-Out: https://adssettings.google.com/authenticated.
Google Maps
We integrate maps from the “Google Maps” service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data processed may include, in particular, users’ IP addresses and location data; however, this information is not collected without their consent (which is typically provided through the settings on their mobile devices). The data may be processed in the United States. Privacy Policy:
https://www.google.com/policies/privacy/,
Opt-Out: https://adssettings.google.com/authenticated.
Strato AG – Collection and Processing of HTTP Log Data
The websites of the Aktionsbündnis Patientensicherheit e.V. are hosted on servers provided by an external service provider, STRATO AG. Log data is collected by STRATO AG’s servers when you visit our websites. Log data includes, for example, the IP address of the device you use to access the website or a service, the type of browser you use, the website you visited previously, your system configuration, and date and time information. IP addresses are anonymized shortly after the connection to our website is terminated.
Please refer to STRATO AG’s privacy policy.
Strato Privacy Policy: www.strato.de/datenschutz/
Contact Information
Aktionsbündnis Patientensicherheit e.V.
Alte Jakobstraße 81, 10179 Berlin
Tel: +49 (0)30 3642 816 0, Fax: +49 (0)30 3642 816 11
To contact us by email, please use the following email address: